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Abstract 

Inevitability properties in branching temporal logics are of the syntax VO0, where cj> is an arbitrary 
(timed) CTL formula. In the sense that "good things will happen", they are parallel to the "liveness" 
properties in linear temporal logics. Such inevitability properties in dense-time logics can be analyzed 
with greatest fixpoint calculation. We present algorithms to model-check inevitability properties 
both with and without requirement of non-Zeno computations. We discuss a technique for early 
decision on greatest fixpoints in the temporal logics. Our algorithms come with a d-parameter for 
the measurement of time-progress. We have experimented with various issues, which may affect 
the performance of TCTL inevitability analysis. Specifically, we report the performance of our 
implementation w.r.t. various d-parameter values and with or without the non-Zeno computation 
requirement in the evaluation of greatest fixpoints. We have also experimented with safe abstration 
techniques for model-checking TCTL inevitability properties. Analysis on the experiment data helps 
clarify how various techniques can be used to improve verification of inevitability properties. 

Keywords: branching temporal logics, TCTL, real-time systems, inevitability, model-checking, greatest 
fixpoint, abstraction 



1 Introduction 

In the research of verification, very often two types of specification properties attract most interest from 
academia and industry. The first type specifies that "bad things will never happen" while the second 
type specifies that "good things will happen" In linear temporal logics, the former is captured by 
modal operator □ while the latter by jz^ • Tremendous research effort has been devoted to the efficient 
analysis of these two types of prope rties in the framework of linear temporal logics |25| . In the branching 
temporal logics of (timed) CTL [Tl llll[T2] . these two types can be mapped to modal operators VD and 
VO respect ively. VD properties are called safety properties while VO's are usually called inevitability 
properties |16ll27| . In the do main of dense-time system verificat ion, people have focused on the efficient 
analysis of safe ty properties |15lll9l05ll24ll28ll55ll34ll35ll36ll37ll4U| . Inevitability properties in Timed CTL 
(TCTL) |1I17| are comparatively more complex to analyze due to the following reason. In the framework 
of model-checking, to analyze an inevitability property, say VOf/), we actually compute the set of states 
that satisfy the negation of inevitability, in symbols [[BD-i^]], and then use the intersection emptiness 
between [[EJD^c/)]] and the initial states for the answer to the inevitability anlaysis. However, property 
3n^(/) in TCTL semantics is only satisfied with non-Zeno computations (Zeno comput atio ns are 
those counter- intuitive infinite computations whose execution times converge to a finite value |17j.) For 
example, a specification like 

"along all computations, eventually a bus collision will happen in three time units" 

*The work is partially supported by NSC, Taiwan, ROC under grants NSC 90-2213-E-002-131, NSC 90-2213-E-002-132, 
and by the Internet protocol verification project of Institute of Applied Science & Engineering Research, Academia Sinica, 
2001. 
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can be violated by a Zeno computation whose execution time converges to a finite timepoint, e.g. 2.9. 
Such requirement on non-Zeno computations may add complexity to the evaluation of inevitability prop- 
erties. In this work, we present our symbolic TCTL model-checking algorithm which can handle the 
non-Zeno requirement in the evaluation of greatest fixpoints. The evaluation of inevitability properties 
in TCTL involves nested reachability analysis and demands much higher complexity than simple safety 
analysis. 

To contain the complexity of TCTL inevitability, it is important to integrate new and old techniques 
for a performance solution. In this paper, we investigate three approaches. In the first approach, we 
investigate how to adjust a parameter value in our greatest fixpoint evaluation algorithms for better 
performance. We have carried out experiments to get insight on this issue. 

In the second approach, we present a technique called Early Decision on the Greatest Fixpoint 
(EDGF). The idea is that, in the evaluation of the greatest fixpoints, we start with a state-space and 
iteratively pare states from it until we reach a fixpoint. Throughout iterations of the greatest fixpoint 
evaluations, the state-space is non-increasing. Thus, if in a middle greatest fixpoint evaluation iteration, 
we find that target states have already been pared from the greatest fixpoint, we can conclude that it 
is not possible to include these target states in the fixpoint. Through this technique, we can reduce 
time-complexity irrelevant to the answer of the model-checking. As reported in section |51 significant 
performance improvement has been observed in several be nchmar ks. 

Our third approach is to use abstraction techniques [Sj^llS^. We shall focus on a special subclass, 
TCTL^, of TCTL in which every formula can be analyzed with safe abstraction if over-approximation is 
used in the evaluation of its negation. For example, we may write the following formula in the subclass. 

VD (request — > VD (service VOrequest)) 

This formula says that if a request is responded by a service, then a request will follow the service. 
This subclass allows for nested modal formulas and we feel that it captures many TCTL inevitability 
properties. 

One challenge in designing safe abstraction techniques in model-checking is making them accurate 
enough to discern many true properties, while still allowing us to enhance verification performa nce. In 
previous research, people have designed many abstraction techniques for reachability analysis fU l 1511^51 
|211En|j as have we However, for model-checking formulas in TCTL^, abstraction accuracy can be 
a bigger issue since the inaccuracy in abstraction can be potentially magnified when we use inaccurate 
evaluation results of nested modal subformulas to evaluate nesting modal subformulas with abstraction 
techniques. Thus it is important to discern accuracy of previous abstraction techniques in discerning 
true TCTL'^formulas. 

In this paper, we also discuss another possibility for abstract evaluation of greatest fixpoints, which 
is to omit the requirement for non-Zeno computations in TCTL semantics. As reported in section |51 
many benchmarks are true even without exclusion of Zeno computations. 

Finally, we have implemented these ideas in our model-checker/simulator red 4.1 |35j . We report 
here our experiments to observe the effects of parameter values, EDGF, various abstraction techniques, 
and non-Z eno requirements on our inevitability analysis. We also compare our analysis with Kronos 
5.1 [T31l¥i] . which is another model-checker for fuU TCTL. 

Our presentation is ordered as follows. Section |2 discusses several related works. Sections |31 and 0] 
give brief presentations of our model, timed automata (TA), and TCTL. SectionJSl presents our TCTL 
model-checking algorithm with requirements for non-Zeno computations. Section |6|improvcs our model- 
checking algorithm using an EDGF technique. Section \7\ gives another version of a greatest fixpoint 
evaluation algorithm by omitting the requirement of non-Zeno computations. Section |S1 identifies the 
subclass TCTL^of TCTL which supersedes many inevitability properties, while allowing for safe abstract 
model-checking by using over-approximation techniques. Section|y]illustrates our experiment results and 
helps clarify how various techniques can be used to improve analysis of inevitability properties. Section lTUl 
is the conclusion. 



2 Related work 

The TA model with dense-time clocks was first presented in . Notably, the data-structure of DBM is 
proposed in ^1] for the representation of convex state-spaces of TA. The theory and algorithm of TCTL 
mo del- checking were first given in jTj. The algorithm is based on region graphs and helps manifest the 
PSPACE-complexity of the TCTL model-checking problem. 

In jJTj, Henzinger et al proposed an efficient symbolic model-checking algorithm for TCTL. However, 
the algorithm does not distinguish between Zeno and non-Zeno computations. Instead, the authors 
proposed to modify TAs with Zeno computations to ones without. In comparison, our greatest fixpoint 
evaluation algorithm is innately able to quantify over non-Zeno computations. 

Several verification tools for TA have been devised and implemented so far 1 1 511 1 9[l^l24[l28[051l34[ 
ESlEniETIEni. UPPAAL PI2H1 is one of the popular tool with DBM technology. It supports safety 
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(reachability) analysis in forward reasoning techniques. Vario us state-space abstraction techniques and 
compact representation techniques have been developed |7I2H . Recently, MoUer has used UPPAAL with 
abstraction techniques to analyze restricted inevitability properties with no modal-formula nesting |26) . 
The idea is to make model augmentations to speed up the verification performance. MoUer also shows 
how to extend the idea to analyze TCTL with only universal quantifications. However, no experiment 
has been re ported on the verification of nested modal-formulas. 

Kronos fT^HT] is a full TCTL model-checker with DBM technology and both forward and backward 
reasoning capability. Experiments to de mon strate how to use Kronos to verify several TCTL bounded 
inevitability properties is demonstrated in |4(J| . [Bouonded inevitabilities are those inevitabilities specified 
with a deadline.) But no report has been made on how to enhance the performance of general inevitability 
analysis. In comparison, we have discussed techniques like EDGF and abstractions which handle both 
boimdcd and unbounded inevitabilities. 

DDD is a reachability analyzer based on BDD-like data-structures for TA |23II24| . 

SGM is a compositional safety (reachability) analyzer for TA, also based on DBM technology. A 
newer version also supports partial TCTL model-checking. 

CMC is another compositional model-checker (201. Its specification language is a restricted subclass 
of and is capable of specifying bounded inevitabilities. 

Our tool red (version 4.1 [33]) is a full TCTL model-checker/simulator with a BDD-like data- 
structure, called CRD (clock-restriction diagram) |33ll34llS5] . Previous research with red has focused on 
enhancing the performance of safety analysis. 

Abstraction techniques for analysis have been studied in great depth since the pioneering work of 
Cousot et al [HlEIl- For TA, convex- hull over-approximation |39| has been a popular choice for DBM 
technology due to its intu itiveness and effective performance. It is difficult to implement this over- 
approximation in red |35) since variable-accessing has to observe variable-orderings of BDD-like data- 
structures. Nevertheless, many ove r-approximation techniques for TA have been reported in ^ for 
BDD-like data-structures and in specifically for CRD. 

Relations between abstraction techniques and sub classes of CTL with only universal (or existen- 
tial respectively) path quantifiers has been studied in As mentioned alDOve, the corresponding 
framework in TCTL is noted in |26| . 



3 Timed automata (TA) 

We use the widely accepted model of timed automata [2] , which is a finite-state automata equipped with 
a finite set of clocks which can hold nonnegative real- values. At any moment, a timed automata can stay 
in only one mode (or control location). In its operation, one of the transitions can be triggered when 
the corresponding triggering condition is satisfied. Upon being triggered, the automata instantaneously 
transits from one mode to another and resets some clocks to zero. Between transitions, all clocks increase 
readings at a uniform rate. 

For convenience, given a set Q of modes and a set X of clocks, we use B{Q, X) as the set of all 
Boolean combinations of atoms of the forms q and x — x' ^ c, where g G Q, a;, x' G AT U {0}, "~" is one 
of <,<,=,>,>, and c is an integer constant. 

Definition 1 timed automata (TA) A TA A is given as a tuple {X, Q, I, fj., T, t, tt) with the following 

restrictions. X is the set of clocks. Q is the set of modes. / G B{Q,X) is the initial condition. 
fi : Q ^ 5(0, A) defines the invariance condition of each mode. T C Q x Q is the set of transitions. 
T : T ^ B{(d, X) and n : T i-^ 2"^ respectively define the triggering condition and the clock set to reset 
of each transition. ■ 

A valuation of a set is a mapping from the set to another set. Given an 77 G B{Q, X) and a valuation 
V of X , we say satisfies rj, in symbols v \^ i], iS it is the case that when the variables in 77 are interpreted 
according to ly, rj will be evaluated as true. 

Definition 2 states A state oi A = {X, Q,I, ^, T, t, tt) is a valuation oi X U Q such that 

• there is a unique q € Q such that v{q) = true and for all g' 7^ g, v{q') = false; 

• for each x G A, /^{x) G TZ'^ (the set of nonnegative reals) and Vq G Q, v{q) => |= tJ-{q)- 

Given state v and q £ Q such that v{q) = true, we call q the mode of in symbols . ■ 

For any t G TV^ , + 1 is a state identical to v except that for every clock a; G A, v{x) + t = {v^ 
Given A C A, vX is a new state identical to v except that for every x G A, i'X{x) = 0. 

Definition 3 runs (computations) Given a TA A = (A, Q, /, /i, T, t, tt), a run is an (infinite) se- 
quence of state-time pairs, (j/q, to)(^^ii ^i) ■ ■ • (i^kTtk) , such that vq \= I Sund toti .. .tk is a 

monotonically increasing real-number (time) divergent sequence, and for all fc > 0, 
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• invariance conditions are preserved in each interval: that is, 
for all t G [0, tk+i - tk], I'k+th M('^fe^); and 

• either no transition happens at time t^, that is, i'^ = ^a^-i '^^ ^ (^fc+i ^ tk) = i^k+i', or a 
transition happens at tk, that is, 

— there is such a transition, that is (i/^, i^^j^) G and 

— i/ie corresponding triggering condition is satisfied, that is, v^. + (t^+i — t}S) \= t{i''^ , ^k+i)' ^^'^ 

— the clocks are reset to zero accordingly, that is, {vk + {tk+i — ik))''^{i^k T^k+i) ~ ^k+i- ^ 

4 TCTL (Timed CTL) 

TCTL [TlllTj is a branching temporal logic for the specification of dense-time systems. 

Definition 4 (Syntax of TCTL formulas): A TCTL formula has the following syntax rules. 

4) ::= h0i I 01 V 02 I I 30iZ^02 I 3n(?ii 

Here € i?((3, X) and 0i, 02 are TCTL formulas. ■ 
The modal operators are intuitively explained in the following. 

• x.(f) means that "if there is a clock x with reading zero now, then is satisfied." 

• 3 means "there exists a run" 

• 01^02 means that along a computation, 0i is true until 02 becomes true. 

• 001 means that along a computation, 0i is alw ays true. 

Besides the standard shorthands of temporal logics [Tlll7|. we adopt the following for TCTL: 

• 3001 for 3fraeW0i • Vn0i for ^30-01 

• V0iZ^02 for ^((3(^02)^^(01 V 02)) V (30^02)) • VO01 for VirMeW0i 

Definition 5 (Satisfaction of TCTL formulas): We write in notations A,v \= (f) to mean that is 
satisfied at state v in TA A. The satisfaction relation is defined inductively as follows. 

• When 01 € B{Q, X), A, 0i according to the definition in the beginning of subsection|21 

• A, 1/ ^ 01 V 02 iff either A,v \= (t)i oy A,v \= 02 

• A,v = ^01 lE A,v ^ 01 

• A,!/ \^ X.01 iff A, I'lx} 1= 01. 

• A,!/ \= 30iZ//02 iff there exists a run (j/i, ti)(i^2, ti) ■ ■ ■ such that = v in A, and there exist an 

1 > 1 and a. 5 G [0,ti+i — ti], s.t. 

— A,Ui+S \= 02, 

— for all j, 5', if either (1 < j < i)A{S' £ [0, tj+i~tj]) or {j = i)A{S' G [0, S)), then A, uj+S' h 0i- 
In words, v satisfies 30iZV02 iff there exists a run from v such that along the run. 0i is true until 

02 is true. 

• A,v \= 3001 iff there exists a run (yi, ti)[u2, ^2) • ■ • such that j^i = in A, and for every i>\ and 
5 G [0, ti+i — ti], A,Vi -\- 8 \= (pi. In other words, v satisfies 3001 iff there exists a run from v such 
that 01 is always true. 

A TA A satisfies a TCTL formula 0, in symbols ^ |= 0, iff for every state vq |= /, A, vq\= (f). ■ 



5 TCTL Model-checking algorithm with non-Zeno requirements 

Our model-checking algorithm is backward reasoning. We need two basic procedures, one for the com- 
putation of the weakest precondition of transitions, and the other for backward time-progression. These 
two procedures are important in the symbolic construction of backward reachable state-space r epresen- 
tations. Various presentations of the two procedures can be found in [TTlEIlElEniEllSSllSZI . Given 
a state-space representation 77 and a transition e, the first procedure, xtion_bck(77, e), computes the 
weakest precondition 

• in which, every state satisfies the invariance condition imposed by /.i(); and 

• from which we can transit to states in 77 through e. 

The second procedure, time_bck(77), computes the space representation of states 

• from which we can go to states in i] simply by time-passage; and 

• every state in the time-passage also satisfies the invariance condition imposed by /i(). 
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With the two basic pro cedures, we can construct a symboHc backward reachabiHty procedure as in 
[niEIlElEniElllSllSZI- We call this procedure reachable-bck(77i, 772) for convenience. Intuitively, 
reachable-bck(7yi, 772) characterizes the backwardly reachable state-space from states in r]2 through 
runs along which all states satisfy rji. Computationally, reacliable-bck(77i, 772) can be defined as the 
least fixpoint of the equation y = 772 V (771 A time_bck(77i A VeeT xtioii_bck(y, e))) , i.e., 

reachable-bck(?7i, 772) = Ifp Y. (772 V (771 A time_bck(77i A VeeT ■^^•'-°'-^-^^-'^(^' ^)))) • 

Our model-checking algorithm is modified from the classic model-checking algorithm for TCTL |17| . 
The design of the greatest fixpoint evaluation algorithm with consideration of non-Zeno requirement is 
based on the following lemma. 

Lemma 6 Given d > 1, A,^ \^ BDrj iff there is a finite run from v of duration > d such that along the 
run every state satisfies rj and the finite run ends at a state satisfying BOrj. 

Proof : Details are omitted due to page- limit. But note that we can construct an infinite and divergent 
run by concatenating an infinite sequence of finite runs with durations d > 1. The existence of infinitely 
many such concatenable finite runs is assured by the recursive construction of BDrj. M 
Then BOrj can be defined with the following greatest fixpoint. 

307] = gf p Y. (ZC. reachable-bck(77, y A ZC > d)) 

Here clock ZC is used specifically to measure the non-Zeno requirement. The following procedure can 
construct the greatest fixpoint satisfying 3D?7 with a non-Zeno requirement. 

gfp(77) /* d is a static parameter for measuring time-progress */ { 
Y := rj] Y' := true; 

repeat until Y = Y',{ (1) 
Y' ■=Y]Y ■=Y ^ clock_eliminate(ZC = A reachable-bck(77, F A ZC > d), ZC); (2) 

return Y; 

} 



Here clock_eliminate() removes a clock from a state-predicate without losing information on rela- 
tions among other clocks. Details can be found in appendix 1X1 

Note here that d works as a parameter. We can choose the value of d > 1 for better performance in 
the computation of the greatest fixpoint. 

Procedure gfp() can be used in the labeling algorithm in 0E| to replace the evaluation of 3D- 
formulas. For completeness of the presentation, please check appendix IbI to see our complete model- 
checking algorithm with non-Zeno requirement. The correctness follows from LemmaEl 

6 Model-checking with Early Decision on the Greatest Fixpoint 
(EDGF) 

In the evaluation of the greatest fixpoint for formulas like BD^i, we start from the description, say K, 
for a subspace of 0i and iteratively eliminate those subspaces which cannot go to a state in Y through 
finite runs of d > 1 time units. Thus, the state-space represented by Y shrinks iteratively until it settles 
at a fixpoint. In practice, this greatest fixpoint usually happens in conjunction with other formulas. 
For example, we may want to specify collision — > y.\/()(y < 26 A idle) meaning that a bus at the 
collision state, will enter the idle state in 26 time-units. After negation for model-checking, we get 
collision A y3D{y > 26 V ^idle). In evaluating this negated formula, we want to see if the greatest 
fixpoint for the 3n-formula intersects with the state-space for collision. We do not actually have to 
compute the greatest fixpoint to know if the intersection is empty. Since the value of Y iteratively shrinks, 
we can check if the intersection between Y and the state-space for collision becomes empty at each 
iteration of the greatest fixpoint construction (i.e., the repeat-loop at statement (1) in procedure gfp). 
If at an iteration, we find the intersection with Y is already empty, then there is no need to continue 
calculating the greatest fixpoint and we can immediately return the current value of Y (or false) without 
affecting the result of the model-checking. 

Based on this idea, we rewrite our model-checking algorithm with our Early Deision on the Greatest 
Fixpoint (EDGF). We introduce a new parameter (3 to pass the information of the target states inherited 
from the scope. 



Eval-EDGF(A, x, P, 4>) 

/* X is the set of clocks declared in the scope of (p */ 
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/* (3 is constraints inhereted in the scope of (j> for early decision of gfp */ { 
switch (0) { 

case (false) : return false; 

case (p): return p A Aij^x ^ — ^5 

case {x — y c): return x ~ y ^ c Ax^x > 0; 

case f0i V 02): return Eval-EDGF(A, x, /?, 0i) V Eval-EDGF(A, x, /?, 02); 
case (01 A 02): 

if 02 does not contain modal operator, { 
772 :=Eval-EDGF(A,x,/3,02); 

return t]2 A Eval-EDGF(A, x, /? A 772, 0i); (3) 
gIsg { 

7?i :=Eval-EDGF(A,x,/3,0i); 

return 771 A Eval-EDGF(A, x, /? A 771, 02); (4) 
case f-i0i): return -iEval-EDGF( A, x, i™e, 0i); 

case (a;.0i): return clock_eliminate(a; = A Eval-EDGF(A, x U {x}, /3, 0i A a; > 0), a;); 
case (301^02): 

771 := Eval-EDGF(A, x, irite, 0i); 772 := Eval-EDGF(A, x, i7"Me, 02); 
return reachable-bck(77i, 772); 
case (3n0i): return gf p_EDGF(Eval-EDGF(0i), /3); 

} ^ 

gf p_EDGF(77, /?) /* d is a static parameter for measuring time-progress */ { 

Y := 77; Y' := true; 

repeat until Y = Y' or {Y A l3) ^ false, { (5) 
Y' ■=Y;Y -.^Y A clock_eliminate(ZC = A reachable-bck(77, F A ZC > d), ZC); (6) 

return Y; 

} 

To model-check TA A against TCTL formula 0, we reply true iff Eval-EDGF(v4, 0, true, ^0) is false. 
As can be seen from statement (3) and (4) in the case of conjunction formulas, we strengthen the target- 
state information. In the evaluation of the greatest fixpoint, we use condition-testing (YAP) = false in 
statement (5) respectively to check for early decision. 

7 Greatest fixpoint computation by tolerating Zenoness 

In practice, the greatest fixpoint computation procedures presented in the last two sections can be costly 
in computing resources since their characterizations have a least fixpoint nested in a greatest fixpoint. 
This is necessary to guarantee that only nonZeno computations are considered. In reality, it may happen 
that, due to well-designed behaviors, systems may still satisfy certain inevitability properties for both 
Zeno and non-Zeno computation. In this case, we can benefit from a less expensive procedure to compute 
the greatest fixpoint. For example, we have designed the following procedure which does not rule out 
Zeno computations in the evaluation of BD-formulas. 

gf p_Zeno_EDGF(7/, /3) { 

Y := rj; Y' := true; 

repeat until Y = Y' or (Y A (3) ^ false, { (7) 
Y' ■=Y;Y --Y Ari A time.bck (77 A V gT xtion_bck(r, e)) ; 

} 

return Y; 

} 

Even if the procedure can be imprecise in over-estimation of the greatest fixpoint, it can be much less 
expensive in the verification of well-designed real-world projects. 
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8 Abstract model-checking with TCTL 



We have also experimented with abstraction techniques in the evaluation of greatest fixpoints. Due to 
page-limit, wc shall leave the explanation in appendix [CI The corresponding xperiment report is in 
subsection 19.41 



9 Implementation and experiments 

We have implemented the ideas in our model-checker/simulator, r ed vers ion 4.1, for TA. red uses the 
new BDD-like data-structure, CRD (Clock- Restriction Diagram) |33II84| . and supports both forward 
and backward analysis, full TCTL model-checking with non-Zeno computations, deadlock detection, and 
counter-example generation. Users can also declare global and local (to each process) variables of type 
clock, integer, and pointer (to identifier of processes). Boolean conditions on variables can be tested 
and variable values can be assigned. The TCTL formulas in red also allow quantification on process 
identifiers for succinct specification. Interested readers can download red for free from 

\protect\vrule widthOpt\protect\href {http : //cc. ee . ntu . edu . tw\string~val/] 

We design our experiment in two ways. First, wc run red 4.1 with various options and benchmarks to 
test if our ideas can indeed improve the verification performance of inevitability properties in TCTL^. 
Second, we compare red 4.1 with Kronos 5.2 to check if our implementation remains competitive in 
regard to other tools. However, we remind the readers that comparison report with other tools should 
be read carefully since red uses different data-structures from Kronos. Moreover, it is difficult to know 
what fine-tuning techniques each tool has used. Thus it is difficult to conclude if the techniques presented 
in this work really contribute to the performance difference between red and Kronos. Nevertheless, we 
believe it is still an objective measure to roughly estimate how our ideas perform. 

In the following section, we shall first discuss the design of our benchmarks, then report our ex- 
periments. Data is collected on a Pentium 4 1.7GHz with 256MB memory running LINUX. Execution 
times are collected for Kronos while times and memory (for data-structure) are collected for red. "s" 
means seconds of CPU time, "k" means kilobytes for memory space for data-structures, "0/M" means 
"out-of-mcmory." 

9.1 Benchmarks 

We do not claim that the benchmarks selected here represent the complete spectrum of model-checking 
tasks. The evaluation of TCTL formulas may incur various complex computations depending on the 
structures of the timed automata and the specification formulas. But we do carefully choose our bench- 
marks according to the broad spectrum of combination of models and specifications so that we can gain 
some insights about performance enhancement of TCTL inevitability analysis. Benchmarks incl ude three 
different timed automatas and specifications for unbounded inevitability, bounded inevitability jl7| , and 
modal operators with nesting depth zero, one, and two respectively. We identify one important bench- 
mark which can only be verified with non-Zeno computations. The other benchmarks can be (safely) 
verified without requirement of non-Zeno computations. 

Due to page-limit, we leave the description of the benchmarks in appendix IdI 

9.2 Performance w.r.t. parameter for measuring time-progress 

In statement (2) of procedure gf p() and statement (6) of procedure gf p_EDGF(), we use inequality ZC > d 
to check time-progress in non-Zeno computations, where d is a parameter > 1. We can choose various 
values for the parameter in our implementations. In our experiment reported in this subsection, we have 
found that the value of parameter d can greatly affect the verification performance. 

In this experiment, we shall use various values of parameter d ranging from 1 to beyond the biggest 
timing constants used in the models. For the leader-election benchmark, the biggest timing constant used 
is 2. For the Pathos benchmark, the biggest timing constant used is equal to the number of processes. 
For the CSMA/CD benchmarks (A), (B), and (C), the biggest timing constant used is equal to 808. 

In fact, we can also use inequality ZC > d, with d > 1, in statements (2) and (6) of procedures gfpO 
and gf p_EDGF() respectively. Due to page-limit, we shall leave the performance data table to appcndixlEI 
We have drawn charts to show time-complexity for the benchmarks w.r.t. d-values in figure El More 
charts for the space-complexity can be found in appendix IfI 

As can be seen from the charts, our algorithms may respond with different complexity curves to 
various model structures and specifications. For benchmarks leader-election and PATHOS, it seems that 
the bigger the d- value, the better the performance. For the three CSMA/CD benchmarks, it seems that 
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^=2.0 
-d is used in "ZC-d" 



(a) leader-election 




-d is used in "ZC-d" 



(b) PATHOS 




>=300 >=500 
-d is used in 'ZC-d" 



(c) CSMA/CD(A) 



>=300 >=500 >=70Q 

-d is used in ''ZC-d" 



(d) CSMA/CD(B) 



^=300 >=5QQ 
~6 is used in 'ZC-d" 



(e) CSMA/CD(C) 

The Y-axis is with "time in sec" while the X-axis is with "~ d" used in "ZC ^ d." 

Figure 1: Time-complexity charts w.r.t. d-values (Data collected with option EDGF) 
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benchmarks 


concurrency 


no non-Zcno requirement 


non-Zcno requirement 


EDGF 


no EDGF 


EDGF 


no EDGF 


time/ space/ answer 


time/space/ answer 


time /space/ answer 


time /space/ answer 


pathos 


2 proc.s 


0.02s/7k/truo 


0.02s/7k/truo 


0.03s/7k/truo 


0.03s/7k/truo 


3 proc.s 


0.09s/18k/truc 


0.1s/18k/truc 


0.08s/17k/true 


0.09s/17k/truc 


4 proc.s 


0.63s/74k/true 


0.66s/74k/truo 


0.31s/42k/truo 


0.31s/42k/true 


5 proc.s 


6.52s/857k/true 


6.65s/859k/true 


1.17s/114k/truo 


1.28s/114k/truo 


6 proc.s 


161s/1.5087k/truc 


162s/15090k/true 


5.22s/314k/truo 


5.37s/314k/truc 


7 proc.s 


0/M 


0/M 


30.71s/942k/truo 


31.16s/941k/truc 


leader 
election 


2 proc.s 


0.04s/10k/true 


0.03s/ lOk/truo 


0.04s/ 16k/truo 


0.04s/16k/truo 


3 proc.s 


0.28s/33k/true 


0.28s/33k/truo 


0.25s/84k/truo 


0.24s/84k/truo 


4 proc.s 


1.96s/84k/true 


1.98s/84k/true 


1.54s/338k/truo 


1.53s/338k/truc 


5 proc.s 


lO.Ols/23/true 


10.07s/234k/true 


11.23s/1164k/truo 


11.17s/1164k/truo 


6 proc.s 


.52.63s/635k/truc 


48.28s/635k/true 


110.9s/7992k/true 


110.2s/7992k/truc 


7 proc.s 


206.7s/1693k/true 


205.7s/1693k/true 


860.5s/42062k/truo 


859.7s/42062k/true 


CSMA/CD 
(A) 


bus-f2 senders 


0.07s/25k/true 


0.15s/25k/truo 


0.33s/42k/truo 


9.29s/90k/truo 


bus+3 senders 


0.24s/49k/true 


0.66s/63k/true 


3.09s/191k/truo 


98.33s/191k/truc 


bus+4 senders 


0.78s/131k/true 


2.38s/201k/true 


26.23s/936k/truo 


867.5s/1578k/truo 


bus+5 senders 


2.39s/378k/truc 


8.47s/625k/true 


195.14s/4501k/true 


6021s/7036k 


CSMA/CD 
(B) 


bus+2 senders 


0.16s/25k/maybo 


0.16s/25k/maybo 


1.92s/37k/truo 


2.3s/37k/truo 


bus+3 senders 


1.52s/62k/maybe 


1.52s/ 62k/ may be 


28.67s/151k/truo 


34.88s/151k/truc 


bus+4 senders 


10.94s/239k/maybe 


11.58s/239k/maybe 


235.48s/765k/truo 


283s/766k/truc 


CSMA/CD 
(C) 


bus+2 senders 


0.05s/25k/true 


0.06s/25k/truo 


0.06s/25k/truo 


0.72s/36k/true 


bus+3 senders 


0.14s/49k/truc 


0.21s/49k/truc 


0.29s/79k/truo 


5.51s/183k/truc 


bus+4 senders 


0.43s/97k/true 


0.67s/97k/true 


1.36s/298k/truo 


30.99s/752k/truo 


bus+5 senders 


1.32s/286k/truc 


2.44s/285k/true 


6.73s/1045k/true 


173.82s/2724k/truc 


bus+6 senders 


4.57s/833k/true 


8.68s/835k/true 


33.53s/3436k/truo 


907.41s/9031k/truo 


bus+7 senders 


16.32s/2364k/true 


32.84s/2367k/true 


166.14s/10652k/truo 


4558s/27993k/true 



Table 1: Performance w.r.t. non-Zeno requirements and EDGF techniques 



the best performance happens when d is around 80. But one thing common in these charts is that d ~ 1 
always gives the worst performance. 

We have to admit that we do not have a theory to analyze or predict the complexity curves w.r.t. 
various model structures and specifications. More experiments on more benchmarks may be needed in 
order to get more understanding of the curves. In general, we feel it can be difficult to analyze such 
complexity curves. After all, our models of TA are still "programs" in some sense. 

Nevertheless, we have still tried hard to look into the execution of our algorithms for explanation of 
the complexity cuves. Procedures gf p() and gf p_EDGF() both are constructed with an inner loop (for the 
least fixpoint evaluation of reachable-bck()) and an outer loop (for the greatest fixpoint evaluation). 
With bigger d-values, it seems that the outer loop converges faster while the inner loop converges slower. 
That is to say, with bigger d-values, we may need less iterations of the outer-loop and, in the same time, 
more iterations of the inner loop to compute the greatest fixpoints. The complexity patterns in the charts 
are thus superpositions between the complexities of the outer loop and the inner loop. 

We have used the d-values with the best performance for the experiments reported in the next few 
subsections. For benchmarks PATHOS and leader-election, ~ d is set to > C^:0. {Ca-.^, is the biggest 
timing constant used in model A and TCTL specification (f).) For the three CSMA/CD benchmarks, ^ d 
is set to > 80. 

9.3 Performance w.r.t. non-Zeno requirement and EDGF 

In our first experiment, we observe the performance of our inevitability analysis algorithm w.r.t. the 
non-Zeno requirement and the EDGF policy. The performance data is in tabled In general, we find that 
with or without EDGF technique, a non-Zeno requirement does add more complexity to the evaluation 
of the inevitability properties. Especially for the three specifications of CSMA/CD model, exponential 
blow-ups have been observed. 

For PATHOS benchmark, it is a totally different story. The non-Zeno requirement seems to incur much 
less complexity than without it. After we have carefully traced the execution of our mode-checker, we 
found that this benchmark incurs very few iterations of loop (5) in gfp_EDGF() although each iteration 
can be costly to run. On the other hand, it incurs a significant number of iterations of loop (6) in 
gfp_Zeno_EDGF() although each iteration is not so costly. The accumulative effect of the loop iterations 
result in performance that contradicts our expectation. This benchmark shows that the evaluation 
performance of inevitability properties is very involved and depends on many factors. 

Futhermore, benchmark CSMA/CD (B) shows that some inevitability properties can only be verified 
with non-Zeno computations. 

As for the performance of the EDGF technique, we find that when the technique fails, it only incurs 
a small overhead. When it succeeds, it significantly improves performance two to three-fold. 
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benchmarks 


concurrency 


no abstraction 


Game-abs. 


Game-discrete-abs. 


Game-mag. -abs. 


time/ space / answer 


time /space/ answer 


time /space/ answer 


time /space/ answer 


pathos 


2 procs.s 


0.03s/7k/true 


0.01s/7k/true 


0.03s/7k/true 


0.03s/7k/true 


3 procs.s 


0.08s/17k/true 


0.11s/17k/maybe 


0.09s/17k/true 


0.1s/22k/true 


4 procs.s 


0.31s/42k/true 


0.36s/ 36k/ may be 


0.37s/36k/true 


0.78s/100k/true 


5 procs.s 


1.17s/114k/true 


1. 16s/ 71k/ may be 


1.2s/71k/true 


8.55s/674k/true 


6 procs.s 


5.22s/314k/true 


2.83s/114k/maybe 


3.39s/114k/true 


191.1s/6074k/true 


7 procs.s 


30.71s/942k/true 


6. 66s/ 175k/ may be 


8.62s/175k/true 


6890s/62321k/true 


leader 
election 


2 procs.s 


0.04s/16k/true 


0.03s/16k/true 


0.03s/16k/true 


0.02s/16k/true 


3 procs.s 


0.25s/84k/true 


0.25s/84k/true 


0.23s/84k/true 


0.25s/84k/true 


4 procs.s 


1.54s/338k/true 


1.53s/338k/true 


1.54s/338k/true 


1.52s/338k/true 


5 procs.s 


11.23s/1164k/true 


11.71s/1164k/true 


11.38s/1164k/true 


11.39s/1164k/true 


6 procs.s 


110.9s/7992k/true 


111.2s/7993k/truc 


110.8s/7993k/true 


110.2s/7993k/true 


7 procs.s 


860.6s/42062k/true 


854.8s/42123k/true 


861.5s/42123k/true 


867.7s/42123k/true 


CSMA/CD 
(A) 


bus+2 senders 


0.33s/42k/true 


0.33s/42k/true 


0.29s/42k/true 


0.33s/42k/true 


bus+3 senders 


3.09s/191k/true 


3.35s/191k/maybe 


1.33s/191k/true 


3.35s/191k/maybe 


bus+4 senders 


26.23s/936k/true 


9.57s/731k/maybe 


4.79s/731k/true 


9.57s/731k/maybe 


bus+5 senders 


195.14s/4501k/true 


29.89s/2529k/maybe 


16.96s/2529k/true 


29.8s/2529k/maybe 


CSMA/CD 
(B) 


bus-f 2 senders 


1.92s/37k/true 


0.58s/25k/true 


0.76s/25k/true 


0.58s/25k/true 


bus-|-3 senders 


28.67s/151k/true 


2.73s/88k/true 


3.91s/85k/true 


2.73s/88k/true 


bus4-4 senders 


23.5.48s/765k/true 


9.54s/290k/true 


14.72s/281k/true 


9.54s/290/true 


CSMA/CD 
(C) 


bus-|-2 senders 


0.06s/25k/true 


0.06s/25k/true 


0.05s/25k/true 


0.06s/25k/true 


bus+3 senders 


0.29s/79k/true 


0.19s/79k/true 


0.18s/79k/true 


0.19s/79k/true 


bus+4 senders 


1.36s/298k/true 


0.71s/298k/true 


0.73s/298k/true 


0.71s/298k/true 


bus+5 senders 


6.73s/1045k/true 


2.85s/1045k/true 


2.90s/1045k/true 


2.85s/1045k/true 


bus+6 senders 


33. 53s/ 3436k/ true 


11.84s/3436k/true 


11.77s/3436k/true 


11.84s/3436k/true 


busH-7 senders 


166.14s/10652k/true 


47.64s/10652k/truc 


47.84s/10652k/true 


47.64s/10652k/true 



All benchmarks run with non-Zeno requirement and EDGF on. 



Table 2: Performance w.r.t. abstraction techniques 



9.4 Performance w.r.t. abstraction techniques 

In table|21 we report the performance data of our red 4.1 with respect to our three abstraction techniques. 
In general, the abstraction techniques give us much better performance. Notably, game-discrete and 
game-magnitude abstractions seem to have enough accuracy to discern true properties. 

It is somewhat surprising that the game-magnitude abstraction incurs excessive complexity for PATHOS 
benchmark. After carefully examining the traces generated by red, we found that because non-magnitude 
constraints were eliminated, some of the inconsistent convex state-spaces in the representation became 
consistent. These spurious convex state-spaces make many more paths in our CRD and greately burden 
our greatest fixpoint calculation. For instance, the outer-loop (5) of procedure gfp_EDGF() takes two 
iterations to reach the fixpoint with the game-magnitude abstraction. It only takes one iteration to do so 
without the abstraction. In our previous experience, this abstraction has worked efficiently with reacha- 
bility analysis. It seems that the performance of abstraction techniques for greatest fixpoint evaluation 
can be subtle. 

9.5 Performance w.r.t. Kronos 

In table|3| we report the performance of Kronos 5.2 w.r.t. the five benchmarks. For PATHOS and leader 
election, Kronos did not succeed in constructing the quotient automata. But our red seems to have no 
problem in this regard with its on-the-fly exploration of the state-space. Of course, the lack of high-level 
data-variables in Kronos' modeling language may also acerbate the problem. 

As for benchmark CSMA/CD (A), Kronos performs very well. We believe this is because this bench- 
mark uses a bounded inevitability specification. Such properties have already been studied in the liter- 
ature of Kronos [JOn • 

On the other hand, benchmarks CSMA/CD (B) and (C) use unbounded inevitability specifications 
with modal-subformula nesting depths 1 and 2 respectively. Kronos does not scale up to the complexity 
of concurrency for these two benchmarks. Our red prevails in these two benchmarks. 



10 Conclusion 

How to enhance the performance of TCTL model-checking is a research issue to which people have not 
paid much attention. The reason may be that the reachability analysis problem for TA is already difficult 
enough and has absorbed much of our energy. Nevertheless, the issue is still important both theoretically 
and practically. Hopefully, this work can give us some insight to the complexity of t he is sue and attract 
more research interest in this regard. Specifically, the charts reported in subsection 19.21 mav imply that 
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benchmarks 


concurrency 


no abstraction 


extrapolation 


inclusion 


convex-hull 


time / space / answer 


time/space/ answer 


time /space/ answer 


time/space / answer 


pathos 


2 procs 


O.Os/truc 


O.Os/truc 


O.Os/truc 


O.Os/truc 


3 procs 


O.Ols/truc 


O.Ols/truc 


0.02s/truo 


0.02s/truc 


4 procs 


g/N/0 


Q/N/C 


Q/N/0 


Q/N/0 


leader 
election 


2 procs 


O.Os/truc 


O.Os/truc 


O.Os/truc 


O.Os/truc 


3 procs 


O.Ols/truc 


O.Ols/truc 


O.Ols/truc 


O.Ols/truc 


4 procs 


0.05s/truc 


0.06s/truc 


0.04s/truc 


0.04s/truc 


5 procs 


Q/N/C 


Q/N/C 


Q/N/C 


Q/N/C 


CSMA/CD 
(A) 


bus4-2 senders 


O.Os/truc 


O.Ols/truc 


O.Os/truc 


O.Ols/truc 


bus+3 senders 


O.Ols/truc 


O.Ols/truc 


O.Ols/truc 


O.Ols/truc 


bus+4 senders 


0.06s/truc 


0.06s/truc 


0.06s/truc 


0.06s/true 


bus+5 senders 


0.31s/truc 


0.31s/truc 


0.32s/truc 


0.32s/truc 


CSMA/CD 
(B) 


bus+2 senders 


8.67s/truc 


8.68s/truc 


8.65s/truc 


8.71s/truc 


bus-i-3 senders 


0/M 


Q/M 


Q/M 


Q/M 


CSMA/CD 
(C) 


bus+2 senders 


2.69s/truc 


2.70s/truc 


2.72s/truc 


2.69s/truc 


bus-f 3 senders 


0/M 


Q/M 


Q/M 


Q/M 



Q/N/C means that Kronos cannot construct the quotient automata. 



Table 3: Performance of Kronos in comparison 



further research is needed to investigate how to predict good o?-vahies in real-world verification tasks. 
Our implementation shows that the ideas in this paper can be of potential use. 



References 

[1] R. Alur, C. Courcoubetis, D.L. DiU. Model Checking for Real-Time Systems, IEEE LICS, 1990. 

[2] R. Alur, D.L. DiU. Automata for modelhng real-time systems. ICALP' 1990, LNCS 443, Springer- 
Verlag, pp.322-335. 

[3] B. Alpern, F.B. Schneider. Defining Liveness. Information Processing Letters 21, 4 (October 1985), 
181-185. 

[4] F. Balarin. Approximate Reachability Analysis of Timed Automata. IEEE RTSS, 1996. 

[5] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L.DiU, L.J. Hwang. Symbohc Model Checking: 10^° 
States and Beyond, IEEE LICS, 1990. 

[6] J. Bengtsson, K. Larson, F. Larsson, P. Pettcrsson, Wang Yi. UPPAAL - a Tool Suite for Automatic 
Verification of Real-Time Systems. Hybrid Control System Symposium, 1996, LNCS, Springer- 
Verlag. 

[7] G. Behrmann, K.G. Larsen, J. Pearson, C. Weise, Wang Yi. Efficient Timed Reachability Analysis 
Using Clock Difference Diagrams. CAV'99, July, Trcnto, Italy, LNCS 1633, Springer- Ver lag. 

[8] R.E. Bryant. Graph-based Algorithms for Boolean Function Manipulation, IEEE Trans. Comput., 
C-35(8), 1986. 

[9] P. Cousot, R. Cousot. Abstract Interpretation: a Unified Lattice Model for Static Analysis of Pro- 
grams of by Construction or Approximation of Fixpoints. 4th ACM POPL, January 1977. 

[10] P. Cousot, R. Cousot. Abstract Interpretation and application to logic programs. Journal of Logic 
Programming, 13(2-3):103-179, 1992. 

[11] E. Clarke, E.A. Emerson, Design and Synthesis of Synchronization Skeletons using Branching-Time 
Temporal Logic, in "Proceedings, Workshop on Logic of Programs," LNCS 131, Springer- Vcrlag. 

[12] E. Clarke, E.A. Emerson, A. P. Sistla. Automatic Verification of Finite-State Concurrent Systems 
using Temporal-Logic Specifications. ACM Trans. Programming, Languages, and Systems, 8, Nr. 2, 
pp. 244-263. 

[13] E. Clarke, O. Grumbcrg, S. Jha, Y. Lu, H. Vcith. Counterexample-guided Abstraction Refinement. 
CAV'2000. 

[14] D.L. Dill. Timing Assumptions and Verification of Finite-state Concurrent Systems. CAV'89, LNCS 
407, Springer- Vcrlag. 



11 



[15] C. Daws, A. Olivero, S. Tripakis, S. Yovinc. The tool KRONOS. The 3rd Hybrid Systems, 1996, 
LNCS 1066, Springer- Verlag. 

[16] E.A. Emerson. Uniform Inevitability is tree automataon ineffable. Information Processing Letters 
24(2), Jan 1987, pp.77-79. 

[17] T.A. Henzinger, X. NicoUin, J. Sifakis, S. Yovine. Symbolic Model Checking for Real-Time Systems, 
IEEE Lies 1992. 

[18] C.A.R. Hoare. Communicating Sequential Processes, Prentice Hall, 1985. 

[19] P.-A. Hsiung, F. Wang. User-Friendly Verification. Proceedings of 1999 FORTE/PSTV, October, 
1999, Beijing. Formal Methods for Protocol Engineering and Distributed Systems, editors: J. Wu, 
S.T. Chanson, Q. Gao; Kluwer Academic Publishers. 

[20] F. Laroussinie, K.G. Larsen. CMC: A Tool for Compositional Model-Checking of Real-Time Systems. 
FORTE/PSTV'98, Kluwer. 

[21] K.G. Larsen, F. Larsson, P. Pettersson, Y. Wang. Efficient Verification of Real-Time Systems: 
Compact Data-Structure and State-Space Reduction. IEEE RTSS, 1998. 

[22] W. Lee, A. Pardo. J.-Y. Jang, G. Hachtel. F. Somenzi. Tearing Based Automatic Abstraction for 
CTL Model Checking. ICCAD'96. 

[23] J. MoUer, J. Lichtenberg, H.R. Andersen, H. Hulgaard. Difference Decision Diagrams, in proceedings 
of Annual Conference of the European Association for Computer Science Logic (CSL), Sept. 1999, 
Madreid, Spain. 

[24] J. MoUer, J. Lichtenberg, H.R. Andersen, H. Hulgaard. Fully Symbolic Model-Checking of Timed 
Systems using Difference Decision Diagrams, in proceedings of Workshop on Symbolic Model- 
Checking (SMC), July 1999, Trento, Italy. 

[25] Z. Manna, A. Pnueli. Temporal Verification of Reactive Systems: Safety. Springer- Verlag, 1995. 

[26] M.O. MoUer. Parking Can Get You There Faster - Model Augmentation to Speed up Real-Time 
Model Checking. Electronic Notes in Theoretical Computer Science 65(6), 2002. 

[27] A.W. Mazurkiewicz, E. Ochmanski, W. Penczek. Concurrent Systems and Inevitability. TCS 64(3): 
281-304, 1989. 

[28] P. Pettersson, K.G. Larsen, UPPAAL2k. in Bulletin of the European Association for Theoretical 
Computer Science, volume 70, pages 40-44, 2000. 

[29] A. Pnueli, The Temporal Logic of Programs, 18th annual lEEE-CS Symp. on Foundations of Com- 
puter Science, pp. 45-57, 1977. 

[30] R.S. Pressman. Software Engineering, A Practitioner's Approach. McGraw-Hill, 1982. 

[31] F. Wang. Efficient Data-Structure for Fully Symbolic Verification of Real-Time Software Systems. 
TACAS'2000, March, Berhn, Germany, in LNCS 1785, Springer- Verlag. 

[32] F. Wang. Region Encoding Diagram for Fully Symbolic Verification of Real-Time Systems, the 24th 
COMPSAC, Oct. 2000, Taipei, Taiwan, ROC, IEEE press. 

[33] F. Wang. RED: Model-checker for Timed Automata with Clock-Restriction Diagram. Workshop 
on Real-Time Tools, Aug. 2001, Technical Report 2001-014, ISSN 1404-3203, Dept. of Information 
Technology, Uppsala University. 

[34] F. Wang. Symbolic Verification of Complex Real-Time Systems with Clock-Restriction Diagram, to 
appear in Proceedings of FORTE, August 2001, Cheju Island, Korea. 

[35] F. Wang. Efficient Verification of Timed Automata with BDD-like Data-Structures, proceedings of 
VMCAr2003, LNCS 2575, Springer- Verlag. 

[36] F. Wang, P.-A. Hsiung. Automatic Verification on the Large. Proceedings of the 3rd IEEE HASE, 
November 1998. 

[37] F. Wang, P.-A. Hsiung. Efficient and User-Friendly Verification. IEEE Transactions on Computers, 
Jan. 2002. 



12 



[38] F. Wang, G.-D. Hwang, F. Yu. Symbolic Simulation of Real-Time Concurrent Systems, to appear 
in proceedings of RTCSA'2003, Feb. 2003, Tainan, Taiwan, ROC. 

[39] H. Wong-Toi. Symbolic Approximations for Verifying Real-Time Systems. Ph.D. thesis, Stanford 
University, 1995. 

[40] S. Yovine. Kronos: A Verification Tool for Real-Time Systems. International Journal of Software 
Tools for Technology Transfer, Vol. 1, Nr. 1/2, October 1997. 



13 



APPENDICES 



A Procedure clock_elimiante() 



clock_eliminate(77, x) { 

for each xi — x ^ c and x — X2 c' , ii rj A xi — x ^ c A x — X2 ^' c' is not empty, { 
i]i :~ ri A xi ~ X ^ c A X — X2 ^' c; 

1] -.^ 7] A -^r/i; r/ :— r/ V {r/i A Xi — X2Compose_upperbound(~, c, ~', c')); 
return rj; 

} 

compse_upperbound('^, c, ~', c') { 

if c = oo V c' = oo, return " < oo" 
else if c = — oo, 

if c' < 0, return "< — oo"; else return "< —Ca:4, + c';" 
else if c' = — oo, 

if c < 0, return "< — oo"; else return "< —Ca:4, + c;" 
Cr := c + c'; 

if Cr > Ca:4, V (~r= "<" V = Ca:^), retum "< oo;" 
if cither ~ or ^' is "<", is assigned "<", else ~r is assigned "<" 
else if Cr < -Ca-.^ V (--r= "<" V = -Ca:4>), return "< -oo;" 
else return "^^ Cr"; 

} 

Procedure compose_upperbound() computes the new upperbound as the result of adding two, up to 
the absolute bound of Ca:4>- For example, with Ca:4> = 5, compose_upperbound(<, 2, <, 3) = "< oo" and 
compose_upperbouiid(<, 2, <, 1) = "< 3". 

B Complete mo del- checking procedure with non-Zeno require- 
ment 



model-checkM, { 

if Eval(74, 0, -10) is false, return true\ else return false. 

Eval(A,x,<^) 

/* X is the set of clocks declared in the scope oi 4> * / { 
switch (0) { 

case (false): return /a/se; 

case (p): return p A A^ex ^ ^ ^'^ 

case (x ~ y '-^ c): return x — y ^ c Ax^x ^ ^^'i 

case (01 V 02): return Eval(A, x, 0i) V Eval(yl, x, 02); 

case (01 A 02): 

return Eval(A, x, 0i) A Eval(A, x, 02); 
case {--i(f>i): return -iEval(A, x, 0i); 

case (a;.0i): return clock_eliininate(a:; = A Eval(y4, x U {x}, 0i A a; > 0), x); 
case (30iZY02): 

ryi Eval(v4, x, 0i); ?72 := Eval(yl, x, 02); 

return reachable-bck(?7i, 772); 
case (Ein0i): return gfp(Eval(A, 0i)); 



C Abstract mo del- checking with TCTL 



In the application of abstraction techniques, it is important to make them safe jSOj. That is to say, when 
the safe abstraction analyzer says a property is true, the property is indeed true. (But when it says false, 
we do not know whether the property is true.) There are two types of abstractions: over-approximation 
and under- approximation. The former means that the abstract state-space is a superset of the concrete 
state-space, while the latter means that the abstract state-space is a subset of the concrete state-space. 
To make an abstraction safe means that we should stick to over-approximation while evaluating EID-i^ 
(the negation of the inevitability). But this can be difficult to enforce in general since negations deeply 
nested in formulas can turn over-approximation into under-approximation and thus make abstractions 
unsafe. 

Usually inevitability properties do not occur on their own either. Instead, they are usually nested in 
other modal-formulas. For example, normally we may specify that 

When there is a request, then eventually there is a service. 

In TCTL, this can be written as 

VD (request VOservice) (/I) 

In general, it can be difficult to restrict the negation of over-approximation from happening. But fortu- 
nately, formula (/I) does not have such a problem. Consider the negation of formula (/I), which is the 
following. 

30 (request A EIQ-iservice) (/2) 

Since there is no negation sign before any modal-formula, there is no problem with negation of over- 
approximation. Thus over-approximation can be applied here by doing over-approximations of the state 
sets thus satisfying the following subformulas in sequence (from left to right). 

-iservice, ElD^service, request, request A BD^service, (/2), / A (/2) 

If the state-set for / A (/2) is empty, then formula (/I) is satisfied; else we do not have a conclusion. Note 
that the evaluation of state sets for ^service and request respectively does not need any abstraction. 

The reasoning in the last paragraph can be extended to a general subclass of TCTL, TCTL^. A 
formula is in TCTL^iff the negation signs only appear before its atoms, and only universal path quan- 
tifications are used. For example, wc may want to verify the following specification: 

VD (request VD (service VOrequest)) 

The formula says that if there is a request followed by a service, then from that service on, there will 
be a request. The negation of the specification is 30 (request A 30 (service A 3n^request)), which 
is in the subclass of TCTL^, the subclass of TCTL with negations right before atoms and with only 
existential path quantifications. Note that the negations of formulas in TCTL^ fall correctly in TCTL^. 
The following lemma shows that over-approximation techniques with TCTL^formulas always yield over- 
approximation. 

Lemma 7 .• Given a TCTLr' formula cj), if we evaluate each modal- sub formula in (p with over-approximation, 
then we still get an over- approximation of the state set satisfying <j). 

Proof : This can be done by an inductive analysis on the structure of 0. If is a literal expression 
of the forms p or -ip, then the evaluation does not involve any approximation. If is like <j)i V 02 or 
01 A 02, then the evaluation of still yields over- approximation with the inductive hypothesis that the 
evaluations of 0i and 02 are both over-approximations. If is like 30iZ^02, then since the modal- formula 
is to be evaluated with over-approximation, with the inductive hypothesis, we know that is evaluated 
with over-approximation. The case for 3001 is similar. Thus the lemma is proven. ■ 
Our over-approximation technique is directly applied in procedure reacliable-bck(). In other words, 
we can extend reacliable-bck() with over-approximation techniques as following. 

reacliable-bck'^(?;i, 772) = Ifpy.abs (772 V (771 A time_bck(77i A \J ^f^j^yitlonJockiY^e)))^ . 

Here abs() means a generic over-approximation procedure. Thus procedure reachable-bck'^() can be 
used in place of reachable-bck() in procedures gfp(), Eval-EDGF(), and gfp_EDGF(). 

In our tool red 4.1, we have implemented a serie s of game-based abstraction procedures suitable 
for BDD-like data-structures and concurrent systems [3SI. We use the term "game" here because we 
envision the concurrent system operation as a game. Those processes, which we want to verify, are 
treated as players while the other processes are treated as opponents. In the game, the players try to win 
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(maintain the specification property) under the worst (i.e., minimal) assumption on their opponents. A 
process is a player iff its local variables appear in the inevitability properties. The othe r processes are 
called opponents. According to the well-observed discipline of modular programming |3U| , the behavioral 
correctness of a functional module should be based on minimal assumption on the environment. These 
game-based abstraction procedures omit opponents' state-information to make abstractions. 

• Game- abstraction: The game abstraction procedure will eliminate the state information of the 
opponents from its argument state-predicate. 

• Game-discrete-abstraction: This abstraction procedure will eliminate all clock constraints for the 
opponents in the argument state-predicate. 

• Game- magnitude- abstraction: A clock constraint like a; — x' c is called a magnitude constraint iff 
either x or x' is zero itself (i.e. the constraint is either x ~ c or —x' ~ c). This abstraction procedure 
will erase all non- mag nitude constraints of the opponents in the argument state-predicate. 

Details can be found in |38j . 

D Benchmarks 

We use the following benchmarks to test our ideas and implementations. The specifications for the 
benchmarks faU in TCTL^. Thus we can also carry out experiments with our abstraction techniques. 

• PATHOS real-time operating system scheduling specification 0]: 

In the system, each process runs with a distinct priority in a period equal to the number of processes. 
The biggest timing constant used is equal to the number of processes. The unbounded inevitability 
property we want to evaluate is that "if the process with lowest priority is in the pending state, 
then inevitably it will enter the running state thereafter." For a system with three processes, this 
property is as follows. 

VD (pendingg — > VOrunningg) 
The nesting depth of the mo dal- operators is one. 

• Leader election specification \6b\ : 

Each process has a local pointer parent and a local clock. All processes initially come with its 
parent = NULL. Then a process with its parent = NULL may broadcast its request to be adopted 
by a parent. Another process with its parent = NULL may respond. The process with the smaller 
identifier will become the parent of the other process in the requcstcr-responder pair. The biggest 
timing constant used is 2. The unbounded inevitability we want to verify is that eventually, the 
algorithm will finish with a unique leader elected. That is 

VO (parent = NULL A Vi : i 7^ 1, (parent ^ NULL A parent^ < i)) 
There is no nested modal-operators. To guarantee the inevitability, we assume that a process with 
parent = NULL wil l finish an iteration of the algorithm in 2 time units. 

• GSM A/CD protocol WW^JM- 

Basically, this is the ethernet bus arbitration protocol with the idea of collision-and-retry. The 
timing constants used are 26, 52, and 808. We have used three TCTL specifications for these 
benchmarks. 

— The first one requires that, when two processes are simultaneously in the transmission mode, 
then in 26 time units, the bus will inevitably go back to the idle state. The property is a 
bounded inevitability and can be written as follows: 

VD ((transmi A transm2) x.VO (x < 26 A bus_idle)) (A) 
Note that the inevitability is timed to happen in 26 time units. This experiment allows us to 
observe how our techniques perform with bounded inevitability. 

— The second specification requires that if sender 1 is in its transmission mode for no less than 
52 time units, then it will inevitably enter the wait mode. 

Vn((transmi A Xi > 52) VOwaiti) (B) 
Specially, this specification can only be verified by quantifying only on non-Zeno computations. 

— The third specification requires that if the bus is in the idle mode and later enters the 
collision mode, then it will inevitably go back to the idle mode. This unbounded in- 
evitability property is as follows. 

VD (bus_idle VD (bus_collision VObus.idle)) (C) 
This property is special in that the nesting depth of modal-operator is two and can give us some 
insight on how our abstraction techniques scale to the inductive structure of specifications. 



E Performance data w.r.t. c/- values 

The performance data with various d-value setting in the evaluation of greatest fixpoint with non-Zeno 
computation requirement is in table H 
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benchmarks 


d- values 


2 procs 


3 procs 


4 procs 


5 procs 


time/space 


time/space 


time/space 


time/space 


leader 


>2 


0.03s/16k 


0.24s/84k 


1.58s/338k 


11.625s/1164k 


>1 


0.04s/16k 


0.42s/89k 


3.55s/482k 


28.15s/1612k 


> = 1 


0.05s/16k 


0.53s/88k 


3.41s/451k 


30.52s/15.54k 


patho 


>5 


not available 




1.19s/114k 


>4 






0.32s/42k 


1.17s/109k 


>3 




0.09s/17k 


0.31s/41k 


1.41s/119k 


>2 


0.03s/7k 


0.08s/17k 


0.37s/51k 


1.83s/221k 


>1 


0.02s/7k 


0.11s/21k 


0.55s/76k 


3.16s/244k 


> = 1 


0.04s/7k 


0.16s/26k 


0.65s/76k 


3.2s/245k 


CSMA/CD 
(A) 


>808 


1.14s/45k 


93s/1418k 


2394.12s/10936k 




>646 


0.94s/44k 


65.63s/1232k 


1616.22s/8581k 


>404 


0.72s/43k 


34.36s/877k 


636.53s/5336k 


>161 


0.54s/42k 


13.24s/501k 


185.17s/2539k 


>80 


0.45s/42k 


6.63s/308k 


65.41s/1483k 


>=64 


0.46s/42k 


5.3s/259k 


51.77s/1230k 


>=32 


0.34s/42k 


3.22s/191k 


27.16s/936k 


> = 16 


0.70s/82k 


6.58s/426k 


55.5s/1640k 


>=8 


1.43s/ 96k 


14.5s/510k 


123.68s/1958k 


>=4 


2.66s/118k 


28.37s/639k 


255.59s/2446k 


>=2 


5.54s/165k 


62s/900k 


516.76s/3430k 


> = 1 


15.64s/270k 


186.86s/1480k 


1443.97s/5587k 


CSMA/CD 
(B) 


>808 


0.66s/35k 


34s/719k 


863.29s/5198k 




>646 


1.38s/62k 


48.45s/658k 


1095.99s/4187k 


>323 


1.15s/40k 


31.14s/421k 


507.73s/2178k 


>161 


1.27s/37k 


26.61s/265k 


320.67s/1199k 


>80 


1.91s/37k 


29.08s/151k 


240.77s/765k 


>=64 


2.22s/37k 


28.01s/130k 


240.44s/631k 


>=32 


3.51s/56k 


36.31s/228k 


272.32s/801k 


> = 16 


6.45s/59k 


69.62s/251k 


521.32s/875k 


>=8 


13.88s/67k 


143.44s/280k 


1068s/958k 


>=4 


30.22s/80k 


309.2s/326k 


2257s/1087k 


>=2 


73.32s/113k 


717.8s/423k 


5165s/1349k 


> = 1 


230s/214k 


2119s/667k 


13630s/1951k 


CSMA/CD 
(C) 


>808 


0.19s/2.5k 


1.75s/80k 


12.7s/300k 




>646 


0.17s/25k 


1.48s/80k 


10.09s/299k 


>404 


0.13s/25k 


ls/80k 


6.52s/299k 


>161 


0.08s/25k 


0.6s/80k 


3.68s/299k 


>80 


0.07s/25k 


0.4s/80k 


2.12s/299k 


>=64 


0.08s/25k 


0.42s/80k 


2.27s/299k 


>=32 


0.07s/25k 


0.32s/79k 


1.55s/298k 


> = 16 


0.11s/36k 


0.66s/192k 


3.12s/863k 


>=8 


0.22s/47k 


1.51s/256k 


7.96s/1056k 


>=4 


0.44s/64k 


3.16s/355k 


18.61s/1438k 


>=2 


1.03s/98k 


9.07s/.556k 


53.9s/2208k 


> = 1 


3.3s/178k 


37.11s/1001k 


230.32s/3892k 



Table 4: Performance w.r.t. c?-values 

F Space complexity charts w.r.t. (i- values 

The charts for memory complexity with various d-parameter values is in figure El 



iv 



>=2.Q 
~d is used in "ZC-d" 



(a) leader-election 




-d is used in "ZC~d" 



(b) PATHOS 




>=300 ^=500 
-d is used in "ZC-d" 



(c) CSMA/CD(A) 




(d) CSMA/CD(B) 




>=300 >=5QQ 
~d is used in 'ZC-d" 



(e) CSMA/CD(C) 

The Y-axis is with "memory space in kb" while the X-axis is with "~ d" used in "ZC ^ d." 

Figure 2: Memory-complexity charts w.r.t. d-values (Data collected with option EDGF) 
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